Application Development and Automation Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role assignments via SAP Cloud Identity Services - Identity Provisioning in SAP Build Work Zone

Yumnahabbasi
Product and Topic Expert
Product and Topic Expert
‎2024 Jun 24 3:12 PM
5,473

Introduction to Identity Provisioning service

SAP Cloud Identity Services - Identity Provisioning (IPS) is a core service of SAP Business Technology Platform. It is used to provision identities and their authorizations between source and target systems.

The source system is the system that stores the user information for example SAP S/4HANA, SAP SuccessFactors, etc. The target system is the system where this information is consumed / sent to, in this case SAP Build Work Zone.  Identity Provisioning is a central service that can be used to connect a variety of SAP cloud/on-premise and other selected 3rd party systems.

Integration of SAP Build Work Zone with Identity Authentication (IAS)

It is recommended to set up the SAP BTP platform-level trust and it is required to have OIDC-based trust on the subaccount-level established using the 'establish trust' feature. This allows applications like SAP Build Work Zone to integrate directly with IAS. If other trusted Identity Providers (IdPs) are configured on the subaccount level, temporarily disable them during the initial setup.

Once you have the above prerequisites ready, configuring the direct integration with IAS is done using a few simple steps. An administrator can do this easily through the Work Zone's Design Time UI from the Site Manager > Settings > Identity Authentication screen. As shown in the screenshot below.

IAS-setup-design-time.pngAfter the setup has been completed successfully, the below screes will show meaning that the dedicated application in IAS will be created.

Success screen.png

If you want to learn more about the integration of SAP Build Work Zone with SAP Cloud Identity services and different trust levels, please head over to this blogpost

Exploring Role Assignments in Identity Provisioning service

Connecting to content providers is a key integration mechanism to make different business apps available to users in SAP Build Work Zone. For the configuration of content provider, the role assignment is a core aspect. There are two options available for assigning those content provider roles inside SAP Build Work Zone:

  1. Roles are automatically created as role collections on the SAP BTP subaccount following a specific syntax or prefix. The role assignment is done afterwards.
  2. Roles are directly assigned inside SAP Build Work Zone, using a dedicated API. This presents one of two REST APIs based on the System for Cross-domain Identity Management (SCIM 2.0) specification. The SCIM API is used to create a base SCIM user record alongside the SCIM groups representing the required roles from the source system. The default for using this API is the IPS with a dedicated connector available for these role assignments. As an alternative, the API can be connected to from any other external client.

What is new?

Administrators can now explore the role assignments that are provisioned by the Identity Provisioning service. The prerequisite is that you have configured the integration with the Identity Provisioning service and the status of the connector is Connected. It is available is all SAP Build Work Zone editions including SAP Start, SAP Build Work Zone, standard edition, SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone.

This new capability is available in the site manager under Settings > Identity Provisioning screen as shown below.

11.png

This enhancement allows the administrator to explore all the roles that were assigned to specific users and provisioned by the Identity Provisioning service. The roles returned by the search include the content roles, which are also available in the Content Manager table, as well as assigned Derived roles and Composite roles which are not visible in the Content Manager table.

To search for users, one can either use email address or Global User ID to see role assignments. The table of role assignments contains the information as stated below.

Role ID: This is the role that is directly assigned to the content for example an app, group or catalog and to the site. The same role ID is also visible in the Content Manager table. To be able to view content in the site, the user must be assigned to this role directly or indirectly via derived/composite roles.

22.png

Composite/Derived role ID: Derived and Composite roles can be assigned to ABAP applications by the content provider. These roles are not visible in the Content Manager table. Composite roles combine several single roles into one menu. When a user is assigned to a composite role, they're indirectly assigned to multiple single roles. Derived roles are single roles that have inherited authorization characteristics from a “master” parent role.

33.png

Provider ID: The system ID of the remote content provider.

44.png

Provisioned on: The date when the role was first provisioned to SAP Build Work Zone. Note that this date doesn’t change when the role is updated.

55.png

Value proposition for SAP Build Work Zone administrators

This new enhancement of exploring role assignments provisioned by the Identity Provisioning service offers administrators a highly effective and user-friendly method for troubleshooting. It allows administrators to see what roles a user has been assigned to. The filter helps them explore the data that was previously hidden behind the scenes. This feature enables our Work Zone administrators to manage data more efficiently.

Learn more!

2 Comments
Ramanj
Discoverer
‎2024 Aug 10 7:16 AM

Nice explanation

Please provide the documents if anyone has IAS/IPS security-related issues/Configuration.

#IAS

#IPS

#IAG

 

Valentin89
Explorer
‎2024 Oct 24 8:24 AM
0 Kudos

Thanks for your blog.

I am dealing with the automatic role assignment in the provisioning setting. How do you assign roles to the user? Does it have to do with the transformation for the target system (WorkZone)?
And if you use the transformation, what does the code look like?

In my opinion it should works something like this.

{
"condition": "$.groups[?(@.value == '<yourValueofTheGroup>')] EMPTY false",
"constant": "~fiori_launchpad_ESS",
"targetPath": "$.roles[1].value || $.roles[0].value"
},

The Constant is provided by the content-channel with the option: "Use the 'Identity Provisioning' service to provide user authorizations." (details Manage Content Providers (On Premise) | SAP Help Portal)

For the roles which already are provided by the default setting it works with this coding (see Solved: WorkZone Administration Console Access denied - SAP Community)

{
"condition": "$.groups[?(@.value == '<yourValueofTheGroup>')] EMPTY false",
"constant": "Administrator",
"targetPath": "$.roles[0].value"
},

If you are not using the transformation to assign the roles, how is the assignment done via provisioning?
What I want to avoid is a manual assignment of the authorization.
And it should be shown in the menu "explore role assignments" like it's shown in your printscreens.

Thanks for supporting me.

Labels in this area
Popular Blog Posts